Agenomic is a B2B SaaS platform for AI agent governance. This policy explains, in plain language, what personal data we process, why, and the choices and rights you have. It is written to be read in layers — start with the summary in each section, and read on for detail.
1. Who we are
Company: Agenomic [legal entity — to confirm]
Registered address: [registered address — to confirm]
Privacy contact: privacy@agenomic.io
Data Protection Officer (DPO): We have not appointed a Data Protection Officer at this stage. For privacy requests, contact privacy@agenomic.io.
Supervisory authority: You may also lodge a complaint with your local data protection authority. In France, this is the CNIL.
2. Scope
This policy covers personal data processed through:
- the agenomic.io website;
- the Agenomic app / cloud platform;
- the CLI and SDKs, where they connect to Agenomic Cloud;
- the MCP Server, when connected to Agenomic Cloud;
- and our support and sales interactions.
3. Roles under the GDPR
Depending on the activity, Agenomic may act as:
- Controller — for account, billing, website, analytics, support, security and marketing data, where we decide why and how the data is processed.
- Processor — for customer-submitted agent data, traces, payload references, evidence artifacts and operational data processed on behalf of a customer.
For processor activities, the Data Processing Addendum governs the processing.
4. Personal data we collect
| Category | Examples | Source | Purpose |
|---|---|---|---|
| Account data | Name, email, organization, role, login metadata. | You / your organization | Create and manage your account. |
| Authentication & security data | IP address, login events, device/browser metadata, audit logs. | Collected automatically | Authenticate users and secure accounts. |
| Billing data | Billing contact, plan, invoices, payment metadata. We do not store full card data when payments are handled by a provider. | You / payment provider | Billing, invoicing and accounting. |
| Product usage data | Workspace, projects, run metadata, feature usage, CLI/SDK interactions. | Collected automatically | Operate and improve the service. |
| Agent governance data | Agent IDs, genome metadata, policy checks, run IDs, event types, hashes, ledger verification status. | You / your agents | Provide versioning, replay, audit and evidence features. |
| Customer content / trace data | Prompts, model outputs, tool payloads, redacted payloads, evidence artifacts — only if submitted or configured by the customer. Agenomic is designed to support hashes and redacted payloads instead of raw sensitive content. | You / your agents | Processed on your behalf to provide the service (processor role). |
| Support & communication data | Support tickets, messages, feedback. | You | Provide support and respond to requests. |
| Website analytics & cookies | Pages viewed, referrer, approximate location, cookie identifiers where enabled. | Collected automatically (with consent where required) | Understand and improve the website. |
5. Why we use personal data
| Purpose | Legal basis | Examples |
|---|---|---|
| Provide the service | Contract | Run the platform you signed up for. |
| Authenticate users and secure accounts | Contract / legitimate interest / legal obligation where applicable | Login, session security, audit logging. |
| Operate trace, ledger, replay and evidence features | Contract; for customer content, processor under the DPA | Record-keeping, replay reports, evidence packages. |
| Improve and monitor the service | Legitimate interest | Reliability, performance, debugging. |
| Provide support | Contract / legitimate interest | Answer tickets and questions. |
| Billing and accounting | Contract / legal obligation | Invoices, tax and accounting records. |
| Security, fraud prevention and abuse detection | Legitimate interest / legal obligation | Detect and prevent misuse. |
| Marketing communications | Consent or legitimate interest, depending on jurisdiction and context | Product updates and newsletters you can opt out of. |
| Legal compliance | Legal obligation | Respond to lawful requests and obligations. |
6. Agent traces, evidence and sensitive content
Agenomic may process agent traces, run metadata, policy checks, hashes, technical logs, replay reports, metrics, compliance reports and Evidence Packages.
Customers should not send unnecessary personal data, secrets, API keys, raw prompts, raw completions, or sensitive payloads unless they are genuinely needed and covered by appropriate safeguards.
Where supported, Agenomic stores hashes, redacted payloads, references and technical metadata rather than raw content.
Please do not submit
- API keys or secrets;
- passwords;
- authentication tokens;
- unnecessary health data;
- unnecessary financial data;
- unnecessary special category data;
- children’s data, unless specifically agreed and legally supported.
7. Data handling by design
Agenomic is designed to support privacy-preserving agent governance through hashes, redaction, access controls and signed technical evidence. By default, the platform is built to favour:
- hashes over raw payloads;
- redacted payloads over raw content;
- object-storage references over raw content in the database;
- no raw prompt/completion logging;
- no secrets in traces;
- org-scoped access;
- configurable retention;
- Evidence Package redaction;
- MCP outputs redacted by default.
9. How long we keep data
| Data category | Typical retention | Notes |
|---|---|---|
| Account data | For the life of the account, then deleted or anonymized after [define retention period]. | Some records may be retained where legally required. |
| Security logs | [90–365 days] | Longer where needed for an active investigation. |
| Audit / evidence artifacts | As configured by the customer or contract | Customer controls retention for processor data. |
| Billing records | As required by accounting/tax law | Statutory retention applies. |
| Support messages | [define retention period] | Retained to provide continuity of support. |
| Marketing contacts | Until you unsubscribe or after an inactivity period | You can opt out at any time. |
| Cookies | As described in the Cookie Policy | Varies by cookie. |
10. Who receives personal data
We share personal data only as needed, with categories of recipients such as:
- hosting providers;
- cloud infrastructure;
- analytics providers;
- payment processors;
- customer support tools;
- email providers;
- security and monitoring providers;
- professional advisers;
- authorities where legally required.
A current list of third-party processors is available on our Subprocessors page.
11. International transfers
Depending on the providers involved, data may be processed outside the European Economic Area (EEA). Where required, Agenomic uses appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) or an equivalent transfer mechanism.
You can ask us about the safeguards in place for a specific transfer by contacting privacy@agenomic.io.
12. Security
We use appropriate technical and organizational measures to protect personal data, including:
- encryption in transit;
- encryption at rest where supported;
- access controls and least privilege;
- audit logs;
- hash-based integrity verification;
- signed evidence artifacts;
- monitoring;
- backups;
- incident response.
No system can be guaranteed perfectly secure, but we work to keep our measures appropriate to the risk and to improve them over time.
13. Your rights
Subject to applicable law, you have the right to request:
- access to your personal data;
- rectification of inaccurate data;
- erasure;
- restriction of processing;
- data portability;
- objection to processing;
- withdrawal of consent, where processing is based on consent;
- to lodge a complaint with a supervisory authority.
To exercise your rights, contact privacy@agenomic.io. We may need to verify your identity before responding.
14. Automated decision-making
Agenomic does not use personal data to make legally binding automated decisions about users. If this changes, we will update this policy.
15. Children
Agenomic is intended for professional users and is not directed to children.
16. Changes to this policy
We may update this policy from time to time. Material changes will be notified where appropriate, and the “Last updated” date above will always reflect the current version.

